Keycloak v5.1.0, Mar 14 23

keycloak.Realm

Allows for creating and managing Realms within Keycloak.

A realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated from multiple sources.

Default Client Scopes

default_default_client_scopes - (Optional) A list of default default client scopes to be used for client definitions. Defaults to [] or keycloak’s built-in default default client-scopes.
default_optional_client_scopes - (Optional) A list of default optional client scopes to be used for client definitions. Defaults to [] or keycloak’s built-in default optional client-scopes.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        AccessCodeLifespan = "1h",
        Attributes = 
        {
            { "mycustomAttribute", "myCustomValue" },
        },
        DisplayName = "my realm",
        DisplayNameHtml = "<b>my realm</b>",
        Enabled = true,
        Internationalization = new Keycloak.Inputs.RealmInternationalizationArgs
        {
            DefaultLocale = "en",
            SupportedLocales = new[]
            {
                "en",
                "de",
                "es",
            },
        },
        LoginTheme = "base",
        PasswordPolicy = "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
        RealmName = "my-realm",
        SecurityDefenses = new Keycloak.Inputs.RealmSecurityDefensesArgs
        {
            BruteForceDetection = new Keycloak.Inputs.RealmSecurityDefensesBruteForceDetectionArgs
            {
                FailureResetTimeSeconds = 43200,
                MaxFailureWaitSeconds = 900,
                MaxLoginFailures = 30,
                MinimumQuickLoginWaitSeconds = 60,
                PermanentLockout = false,
                QuickLoginCheckMilliSeconds = 1000,
                WaitIncrementSeconds = 60,
            },
            Headers = new Keycloak.Inputs.RealmSecurityDefensesHeadersArgs
            {
                ContentSecurityPolicy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
                ContentSecurityPolicyReportOnly = "",
                StrictTransportSecurity = "max-age=31536000; includeSubDomains",
                XContentTypeOptions = "nosniff",
                XFrameOptions = "DENY",
                XRobotsTag = "none",
                XXssProtection = "1; mode=block",
            },
        },
        SmtpServer = new Keycloak.Inputs.RealmSmtpServerArgs
        {
            Auth = new Keycloak.Inputs.RealmSmtpServerAuthArgs
            {
                Password = "password",
                Username = "tom",
            },
            From = "example@example.com",
            Host = "smtp.example.com",
        },
        SslRequired = "external",
        WebAuthnPolicy = new Keycloak.Inputs.RealmWebAuthnPolicyArgs
        {
            RelyingPartyEntityName = "Example",
            RelyingPartyId = "keycloak.example.com",
            SignatureAlgorithms = new[]
            {
                "ES256",
                "RS256",
            },
        },
    });

});

package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			AccessCodeLifespan: pulumi.String("1h"),
			Attributes: pulumi.AnyMap{
				"mycustomAttribute": pulumi.Any("myCustomValue"),
			},
			DisplayName:     pulumi.String("my realm"),
			DisplayNameHtml: pulumi.String("<b>my realm</b>"),
			Enabled:         pulumi.Bool(true),
			Internationalization: &keycloak.RealmInternationalizationArgs{
				DefaultLocale: pulumi.String("en"),
				SupportedLocales: pulumi.StringArray{
					pulumi.String("en"),
					pulumi.String("de"),
					pulumi.String("es"),
				},
			},
			LoginTheme:     pulumi.String("base"),
			PasswordPolicy: pulumi.String("upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername"),
			Realm:          pulumi.String("my-realm"),
			SecurityDefenses: &keycloak.RealmSecurityDefensesArgs{
				BruteForceDetection: &keycloak.RealmSecurityDefensesBruteForceDetectionArgs{
					FailureResetTimeSeconds:      pulumi.Int(43200),
					MaxFailureWaitSeconds:        pulumi.Int(900),
					MaxLoginFailures:             pulumi.Int(30),
					MinimumQuickLoginWaitSeconds: pulumi.Int(60),
					PermanentLockout:             pulumi.Bool(false),
					QuickLoginCheckMilliSeconds:  pulumi.Int(1000),
					WaitIncrementSeconds:         pulumi.Int(60),
				},
				Headers: &keycloak.RealmSecurityDefensesHeadersArgs{
					ContentSecurityPolicy:           pulumi.String("frame-src 'self'; frame-ancestors 'self'; object-src 'none';"),
					ContentSecurityPolicyReportOnly: pulumi.String(""),
					StrictTransportSecurity:         pulumi.String("max-age=31536000; includeSubDomains"),
					XContentTypeOptions:             pulumi.String("nosniff"),
					XFrameOptions:                   pulumi.String("DENY"),
					XRobotsTag:                      pulumi.String("none"),
					XXssProtection:                  pulumi.String("1; mode=block"),
				},
			},
			SmtpServer: &keycloak.RealmSmtpServerArgs{
				Auth: &keycloak.RealmSmtpServerAuthArgs{
					Password: pulumi.String("password"),
					Username: pulumi.String("tom"),
				},
				From: pulumi.String("example@example.com"),
				Host: pulumi.String("smtp.example.com"),
			},
			SslRequired: pulumi.String("external"),
			WebAuthnPolicy: &keycloak.RealmWebAuthnPolicyArgs{
				RelyingPartyEntityName: pulumi.String("Example"),
				RelyingPartyId:         pulumi.String("keycloak.example.com"),
				SignatureAlgorithms: pulumi.StringArray{
					pulumi.String("ES256"),
					pulumi.String("RS256"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.inputs.RealmInternationalizationArgs;
import com.pulumi.keycloak.inputs.RealmSecurityDefensesArgs;
import com.pulumi.keycloak.inputs.RealmSecurityDefensesBruteForceDetectionArgs;
import com.pulumi.keycloak.inputs.RealmSecurityDefensesHeadersArgs;
import com.pulumi.keycloak.inputs.RealmSmtpServerArgs;
import com.pulumi.keycloak.inputs.RealmSmtpServerAuthArgs;
import com.pulumi.keycloak.inputs.RealmWebAuthnPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()        
            .accessCodeLifespan("1h")
            .attributes(Map.of("mycustomAttribute", "myCustomValue"))
            .displayName("my realm")
            .displayNameHtml("<b>my realm</b>")
            .enabled(true)
            .internationalization(RealmInternationalizationArgs.builder()
                .defaultLocale("en")
                .supportedLocales(                
                    "en",
                    "de",
                    "es")
                .build())
            .loginTheme("base")
            .passwordPolicy("upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername")
            .realm("my-realm")
            .securityDefenses(RealmSecurityDefensesArgs.builder()
                .bruteForceDetection(RealmSecurityDefensesBruteForceDetectionArgs.builder()
                    .failureResetTimeSeconds(43200)
                    .maxFailureWaitSeconds(900)
                    .maxLoginFailures(30)
                    .minimumQuickLoginWaitSeconds(60)
                    .permanentLockout(false)
                    .quickLoginCheckMilliSeconds(1000)
                    .waitIncrementSeconds(60)
                    .build())
                .headers(RealmSecurityDefensesHeadersArgs.builder()
                    .contentSecurityPolicy("frame-src 'self'; frame-ancestors 'self'; object-src 'none';")
                    .contentSecurityPolicyReportOnly("")
                    .strictTransportSecurity("max-age=31536000; includeSubDomains")
                    .xContentTypeOptions("nosniff")
                    .xFrameOptions("DENY")
                    .xRobotsTag("none")
                    .xXssProtection("1; mode=block")
                    .build())
                .build())
            .smtpServer(RealmSmtpServerArgs.builder()
                .auth(RealmSmtpServerAuthArgs.builder()
                    .password("password")
                    .username("tom")
                    .build())
                .from("example@example.com")
                .host("smtp.example.com")
                .build())
            .sslRequired("external")
            .webAuthnPolicy(RealmWebAuthnPolicyArgs.builder()
                .relyingPartyEntityName("Example")
                .relyingPartyId("keycloak.example.com")
                .signatureAlgorithms(                
                    "ES256",
                    "RS256")
                .build())
            .build());

    }
}

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    access_code_lifespan="1h",
    attributes={
        "mycustomAttribute": "myCustomValue",
    },
    display_name="my realm",
    display_name_html="<b>my realm</b>",
    enabled=True,
    internationalization=keycloak.RealmInternationalizationArgs(
        default_locale="en",
        supported_locales=[
            "en",
            "de",
            "es",
        ],
    ),
    login_theme="base",
    password_policy="upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
    realm="my-realm",
    security_defenses=keycloak.RealmSecurityDefensesArgs(
        brute_force_detection=keycloak.RealmSecurityDefensesBruteForceDetectionArgs(
            failure_reset_time_seconds=43200,
            max_failure_wait_seconds=900,
            max_login_failures=30,
            minimum_quick_login_wait_seconds=60,
            permanent_lockout=False,
            quick_login_check_milli_seconds=1000,
            wait_increment_seconds=60,
        ),
        headers=keycloak.RealmSecurityDefensesHeadersArgs(
            content_security_policy="frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
            content_security_policy_report_only="",
            strict_transport_security="max-age=31536000; includeSubDomains",
            x_content_type_options="nosniff",
            x_frame_options="DENY",
            x_robots_tag="none",
            x_xss_protection="1; mode=block",
        ),
    ),
    smtp_server=keycloak.RealmSmtpServerArgs(
        auth=keycloak.RealmSmtpServerAuthArgs(
            password="password",
            username="tom",
        ),
        from_="example@example.com",
        host="smtp.example.com",
    ),
    ssl_required="external",
    web_authn_policy=keycloak.RealmWebAuthnPolicyArgs(
        relying_party_entity_name="Example",
        relying_party_id="keycloak.example.com",
        signature_algorithms=[
            "ES256",
            "RS256",
        ],
    ))

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    accessCodeLifespan: "1h",
    attributes: {
        mycustomAttribute: "myCustomValue",
    },
    displayName: "my realm",
    displayNameHtml: "<b>my realm</b>",
    enabled: true,
    internationalization: {
        defaultLocale: "en",
        supportedLocales: [
            "en",
            "de",
            "es",
        ],
    },
    loginTheme: "base",
    passwordPolicy: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
    realm: "my-realm",
    securityDefenses: {
        bruteForceDetection: {
            failureResetTimeSeconds: 43200,
            maxFailureWaitSeconds: 900,
            maxLoginFailures: 30,
            minimumQuickLoginWaitSeconds: 60,
            permanentLockout: false,
            quickLoginCheckMilliSeconds: 1000,
            waitIncrementSeconds: 60,
        },
        headers: {
            contentSecurityPolicy: "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
            contentSecurityPolicyReportOnly: "",
            strictTransportSecurity: "max-age=31536000; includeSubDomains",
            xContentTypeOptions: "nosniff",
            xFrameOptions: "DENY",
            xRobotsTag: "none",
            xXssProtection: "1; mode=block",
        },
    },
    smtpServer: {
        auth: {
            password: "password",
            username: "tom",
        },
        from: "example@example.com",
        host: "smtp.example.com",
    },
    sslRequired: "external",
    webAuthnPolicy: {
        relyingPartyEntityName: "Example",
        relyingPartyId: "keycloak.example.com",
        signatureAlgorithms: [
            "ES256",
            "RS256",
        ],
    },
});

resources:
  realm:
    type: keycloak:Realm
    properties:
      accessCodeLifespan: 1h
      attributes:
        mycustomAttribute: myCustomValue
      displayName: my realm
      displayNameHtml: <b>my realm</b>
      enabled: true
      internationalization:
        defaultLocale: en
        supportedLocales:
          - en
          - de
          - es
      loginTheme: base
      passwordPolicy: upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername
      realm: my-realm
      securityDefenses:
        bruteForceDetection:
          failureResetTimeSeconds: 43200
          maxFailureWaitSeconds: 900
          maxLoginFailures: 30
          minimumQuickLoginWaitSeconds: 60
          permanentLockout: false
          quickLoginCheckMilliSeconds: 1000
          waitIncrementSeconds: 60
        headers:
          contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
          contentSecurityPolicyReportOnly:
          strictTransportSecurity: max-age=31536000; includeSubDomains
          xContentTypeOptions: nosniff
          xFrameOptions: DENY
          xRobotsTag: none
          xXssProtection: 1; mode=block
      smtpServer:
        auth:
          password: password
          username: tom
        from: example@example.com
        host: smtp.example.com
      sslRequired: external
      webAuthnPolicy:
        relyingPartyEntityName: Example
        relyingPartyId: keycloak.example.com
        signatureAlgorithms:
          - ES256
          - RS256

Create Realm Resource

new Realm(name: string, args: RealmArgs, opts?: CustomResourceOptions);

@overload
def Realm(resource_name: str,
          opts: Optional[ResourceOptions] = None,
          access_code_lifespan: Optional[str] = None,
          access_code_lifespan_login: Optional[str] = None,
          access_code_lifespan_user_action: Optional[str] = None,
          access_token_lifespan: Optional[str] = None,
          access_token_lifespan_for_implicit_flow: Optional[str] = None,
          account_theme: Optional[str] = None,
          action_token_generated_by_admin_lifespan: Optional[str] = None,
          action_token_generated_by_user_lifespan: Optional[str] = None,
          admin_theme: Optional[str] = None,
          attributes: Optional[Mapping[str, Any]] = None,
          browser_flow: Optional[str] = None,
          client_authentication_flow: Optional[str] = None,
          client_session_idle_timeout: Optional[str] = None,
          client_session_max_lifespan: Optional[str] = None,
          default_default_client_scopes: Optional[Sequence[str]] = None,
          default_optional_client_scopes: Optional[Sequence[str]] = None,
          default_signature_algorithm: Optional[str] = None,
          direct_grant_flow: Optional[str] = None,
          display_name: Optional[str] = None,
          display_name_html: Optional[str] = None,
          docker_authentication_flow: Optional[str] = None,
          duplicate_emails_allowed: Optional[bool] = None,
          edit_username_allowed: Optional[bool] = None,
          email_theme: Optional[str] = None,
          enabled: Optional[bool] = None,
          internal_id: Optional[str] = None,
          internationalization: Optional[RealmInternationalizationArgs] = None,
          login_theme: Optional[str] = None,
          login_with_email_allowed: Optional[bool] = None,
          oauth2_device_code_lifespan: Optional[str] = None,
          oauth2_device_polling_interval: Optional[int] = None,
          offline_session_idle_timeout: Optional[str] = None,
          offline_session_max_lifespan: Optional[str] = None,
          offline_session_max_lifespan_enabled: Optional[bool] = None,
          otp_policy: Optional[RealmOtpPolicyArgs] = None,
          password_policy: Optional[str] = None,
          realm: Optional[str] = None,
          refresh_token_max_reuse: Optional[int] = None,
          registration_allowed: Optional[bool] = None,
          registration_email_as_username: Optional[bool] = None,
          registration_flow: Optional[str] = None,
          remember_me: Optional[bool] = None,
          reset_credentials_flow: Optional[str] = None,
          reset_password_allowed: Optional[bool] = None,
          revoke_refresh_token: Optional[bool] = None,
          security_defenses: Optional[RealmSecurityDefensesArgs] = None,
          smtp_server: Optional[RealmSmtpServerArgs] = None,
          ssl_required: Optional[str] = None,
          sso_session_idle_timeout: Optional[str] = None,
          sso_session_idle_timeout_remember_me: Optional[str] = None,
          sso_session_max_lifespan: Optional[str] = None,
          sso_session_max_lifespan_remember_me: Optional[str] = None,
          user_managed_access: Optional[bool] = None,
          verify_email: Optional[bool] = None,
          web_authn_passwordless_policy: Optional[RealmWebAuthnPasswordlessPolicyArgs] = None,
          web_authn_policy: Optional[RealmWebAuthnPolicyArgs] = None)
@overload
def Realm(resource_name: str,
          args: RealmArgs,
          opts: Optional[ResourceOptions] = None)

func NewRealm(ctx *Context, name string, args RealmArgs, opts ...ResourceOption) (*Realm, error)

public Realm(string name, RealmArgs args, CustomResourceOptions? opts = null)

public Realm(String name, RealmArgs args)
public Realm(String name, RealmArgs args, CustomResourceOptions options)

type: keycloak:Realm
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args RealmArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args RealmArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args RealmArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args RealmArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args RealmArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Realm Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Realm resource accepts the following input properties:

RealmName string: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
AccessCodeLifespan string: The maximum amount of time a client has to finish the authorization code flow.
AccessCodeLifespanLogin string: The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
AccessCodeLifespanUserAction string: The maximum amount of time a user has to complete login related actions, such as updating a password.
AccessTokenLifespan string: The amount of time an access token can be used before it expires.
AccessTokenLifespanForImplicitFlow string: The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
AccountTheme string: Used for account management pages.
ActionTokenGeneratedByAdminLifespan string: The maximum time a user has to use an admin-generated permit before it expires.
ActionTokenGeneratedByUserLifespan string: The maximum time a user has to use a user-generated permit before it expires.
AdminTheme string: Used for the admin console.
Attributes Dictionary<string, object>: A map of custom attributes to add to the realm.
BrowserFlow string: The desired flow for browser authentication. Defaults to browser.
ClientAuthenticationFlow string: The desired flow for client authentication. Defaults to clients.
ClientSessionIdleTimeout string: The amount of time a session can be idle before it expires. Users can override it for individual clients.
ClientSessionMaxLifespan string: The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
DefaultDefaultClientScopes List<string>
DefaultOptionalClientScopes List<string>
DefaultSignatureAlgorithm string: Default algorithm used to sign tokens for the realm.
DirectGrantFlow string: The desired flow for direct access authentication. Defaults to direct grant.
DisplayName string: The display name for the realm that is shown when logging in to the admin console.
DisplayNameHtml string: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
DockerAuthenticationFlow string: The desired flow for Docker authentication. Defaults to docker auth.
DuplicateEmailsAllowed bool: When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
EditUsernameAllowed bool: When true, the username field is editable.
EmailTheme string: Used for emails that are sent by Keycloak.
Enabled bool: When false, users and clients will not be able to access this realm. Defaults to true.
InternalId string: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
Internationalization RealmInternationalizationArgs
LoginTheme string: Used for the login, forgot password, and registration pages.
LoginWithEmailAllowed bool: When true, users may log in with their email address.
Oauth2DeviceCodeLifespan string: The maximum amount of time a client has to finish the device code flow before it expires.
Oauth2DevicePollingInterval int: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
OfflineSessionIdleTimeout string: The amount of time an offline session can be idle before it expires.
OfflineSessionMaxLifespan string: The maximum amount of time before an offline session expires regardless of activity.
OfflineSessionMaxLifespanEnabled bool: Enable offline_session_max_lifespan.
OtpPolicy RealmOtpPolicyArgs
PasswordPolicy string: The password policy for users within the realm.
RefreshTokenMaxReuse int: Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
RegistrationAllowed bool: When true, user registration will be enabled, and a link for registration will be displayed on the login page.
RegistrationEmailAsUsername bool: When true, the user's email will be used as their username during registration.
RegistrationFlow string: The desired flow for user registration. Defaults to registration.
RememberMe bool: When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
ResetCredentialsFlow string: The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
ResetPasswordAllowed bool: When true, a "forgot password" link will be displayed on the login page.
RevokeRefreshToken bool: If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
SecurityDefenses RealmSecurityDefensesArgs
SmtpServer RealmSmtpServerArgs
SslRequired string: Can be one of following values: 'none, 'external' or 'all'
SsoSessionIdleTimeout string: The amount of time a session can be idle before it expires.
SsoSessionIdleTimeoutRememberMe string: Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.
SsoSessionMaxLifespan string: The maximum amount of time before a session expires regardless of activity.
SsoSessionMaxLifespanRememberMe string: Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.
UserManagedAccess bool: When true, users are allowed to manage their own resources. Defaults to false.
VerifyEmail bool: When true, users are required to verify their email address after registration and after email address changes.
WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs: Configuration for WebAuthn Passwordless Policy authentication.
WebAuthnPolicy RealmWebAuthnPolicyArgs: Configuration for WebAuthn Policy authentication.

Realm string: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
AccessCodeLifespan string: The maximum amount of time a client has to finish the authorization code flow.
AccessCodeLifespanLogin string: The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
AccessCodeLifespanUserAction string: The maximum amount of time a user has to complete login related actions, such as updating a password.
AccessTokenLifespan string: The amount of time an access token can be used before it expires.
AccessTokenLifespanForImplicitFlow string: The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
AccountTheme string: Used for account management pages.
ActionTokenGeneratedByAdminLifespan string: The maximum time a user has to use an admin-generated permit before it expires.
ActionTokenGeneratedByUserLifespan string: The maximum time a user has to use a user-generated permit before it expires.
AdminTheme string: Used for the admin console.
Attributes map[string]interface{}: A map of custom attributes to add to the realm.
BrowserFlow string: The desired flow for browser authentication. Defaults to browser.
ClientAuthenticationFlow string: The desired flow for client authentication. Defaults to clients.
ClientSessionIdleTimeout string: The amount of time a session can be idle before it expires. Users can override it for individual clients.
ClientSessionMaxLifespan string: The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
DefaultDefaultClientScopes []string
DefaultOptionalClientScopes []string
DefaultSignatureAlgorithm string: Default algorithm used to sign tokens for the realm.
DirectGrantFlow string: The desired flow for direct access authentication. Defaults to direct grant.
DisplayName string: The display name for the realm that is shown when logging in to the admin console.
DisplayNameHtml string: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
DockerAuthenticationFlow string: The desired flow for Docker authentication. Defaults to docker auth.
DuplicateEmailsAllowed bool: When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
EditUsernameAllowed bool: When true, the username field is editable.
EmailTheme string: Used for emails that are sent by Keycloak.
Enabled bool: When false, users and clients will not be able to access this realm. Defaults to true.
InternalId string: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
Internationalization RealmInternationalizationArgs
LoginTheme string: Used for the login, forgot password, and registration pages.
LoginWithEmailAllowed bool: When true, users may log in with their email address.
Oauth2DeviceCodeLifespan string: The maximum amount of time a client has to finish the device code flow before it expires.
Oauth2DevicePollingInterval int: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
OfflineSessionIdleTimeout string: The amount of time an offline session can be idle before it expires.
OfflineSessionMaxLifespan string: The maximum amount of time before an offline session expires regardless of activity.
OfflineSessionMaxLifespanEnabled bool: Enable offline_session_max_lifespan.
OtpPolicy RealmOtpPolicyArgs
PasswordPolicy string: The password policy for users within the realm.
RefreshTokenMaxReuse int: Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
RegistrationAllowed bool: When true, user registration will be enabled, and a link for registration will be displayed on the login page.
RegistrationEmailAsUsername bool: When true, the user's email will be used as their username during registration.
RegistrationFlow string: The desired flow for user registration. Defaults to registration.
RememberMe bool: When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
ResetCredentialsFlow string: The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
ResetPasswordAllowed bool: When true, a "forgot password" link will be displayed on the login page.
RevokeRefreshToken bool: If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
SecurityDefenses RealmSecurityDefensesArgs
SmtpServer RealmSmtpServerArgs
SslRequired string: Can be one of following values: 'none, 'external' or 'all'
SsoSessionIdleTimeout string: The amount of time a session can be idle before it expires.
SsoSessionIdleTimeoutRememberMe string: Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.
SsoSessionMaxLifespan string: The maximum amount of time before a session expires regardless of activity.
SsoSessionMaxLifespanRememberMe string: Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.
UserManagedAccess bool: When true, users are allowed to manage their own resources. Defaults to false.
VerifyEmail bool: When true, users are required to verify their email address after registration and after email address changes.
WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs: Configuration for WebAuthn Passwordless Policy authentication.
WebAuthnPolicy RealmWebAuthnPolicyArgs: Configuration for WebAuthn Policy authentication.

realm String: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
accessCodeLifespan String: The maximum amount of time a client has to finish the authorization code flow.
accessCodeLifespanLogin String: The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
accessCodeLifespanUserAction String: The maximum amount of time a user has to complete login related actions, such as updating a password.
accessTokenLifespan String: The amount of time an access token can be used before it expires.
accessTokenLifespanForImplicitFlow String: The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
accountTheme String: Used for account management pages.
actionTokenGeneratedByAdminLifespan String: The maximum time a user has to use an admin-generated permit before it expires.
actionTokenGeneratedByUserLifespan String: The maximum time a user has to use a user-generated permit before it expires.
adminTheme String: Used for the admin console.
attributes Map<String,Object>: A map of custom attributes to add to the realm.
browserFlow String: The desired flow for browser authentication. Defaults to browser.
clientAuthenticationFlow String: The desired flow for client authentication. Defaults to clients.
clientSessionIdleTimeout String: The amount of time a session can be idle before it expires. Users can override it for individual clients.
clientSessionMaxLifespan String: The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
defaultDefaultClientScopes List<String>
defaultOptionalClientScopes List<String>
defaultSignatureAlgorithm String: Default algorithm used to sign tokens for the realm.
directGrantFlow String: The desired flow for direct access authentication. Defaults to direct grant.
displayName String: The display name for the realm that is shown when logging in to the admin console.
displayNameHtml String: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
dockerAuthenticationFlow String: The desired flow for Docker authentication. Defaults to docker auth.
duplicateEmailsAllowed Boolean: When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
editUsernameAllowed Boolean: When true, the username field is editable.
emailTheme String: Used for emails that are sent by Keycloak.
enabled Boolean: When false, users and clients will not be able to access this realm. Defaults to true.
internalId String: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
internationalization RealmInternationalizationArgs
loginTheme String: Used for the login, forgot password, and registration pages.
loginWithEmailAllowed Boolean: When true, users may log in with their email address.
oauth2DeviceCodeLifespan String: The maximum amount of time a client has to finish the device code flow before it expires.
oauth2DevicePollingInterval Integer: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
offlineSessionIdleTimeout String: The amount of time an offline session can be idle before it expires.
offlineSessionMaxLifespan String: The maximum amount of time before an offline session expires regardless of activity.
offlineSessionMaxLifespanEnabled Boolean: Enable offline_session_max_lifespan.
otpPolicy RealmOtpPolicyArgs
passwordPolicy String: The password policy for users within the realm.
refreshTokenMaxReuse Integer: Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
registrationAllowed Boolean: When true, user registration will be enabled, and a link for registration will be displayed on the login page.
registrationEmailAsUsername Boolean: When true, the user's email will be used as their username during registration.
registrationFlow String: The desired flow for user registration. Defaults to registration.
rememberMe Boolean: When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
resetCredentialsFlow String: The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
resetPasswordAllowed Boolean: When true, a "forgot password" link will be displayed on the login page.
revokeRefreshToken Boolean: If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
securityDefenses RealmSecurityDefensesArgs
smtpServer RealmSmtpServerArgs
sslRequired String: Can be one of following values: 'none, 'external' or 'all'
ssoSessionIdleTimeout String: The amount of time a session can be idle before it expires.
ssoSessionIdleTimeoutRememberMe String: Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.
ssoSessionMaxLifespan String: The maximum amount of time before a session expires regardless of activity.
ssoSessionMaxLifespanRememberMe String: Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.
userManagedAccess Boolean: When true, users are allowed to manage their own resources. Defaults to false.
verifyEmail Boolean: When true, users are required to verify their email address after registration and after email address changes.
webAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs: Configuration for WebAuthn Passwordless Policy authentication.
webAuthnPolicy RealmWebAuthnPolicyArgs: Configuration for WebAuthn Policy authentication.

realm string: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
accessCodeLifespan string: The maximum amount of time a client has to finish the authorization code flow.
accessCodeLifespanLogin string: The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
accessCodeLifespanUserAction string: The maximum amount of time a user has to complete login related actions, such as updating a password.
accessTokenLifespan string: The amount of time an access token can be used before it expires.
accessTokenLifespanForImplicitFlow string: The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
accountTheme string: Used for account management pages.
actionTokenGeneratedByAdminLifespan string: The maximum time a user has to use an admin-generated permit before it expires.
actionTokenGeneratedByUserLifespan string: The maximum time a user has to use a user-generated permit before it expires.
adminTheme string: Used for the admin console.
attributes {[key: string]: any}: A map of custom attributes to add to the realm.
browserFlow string: The desired flow for browser authentication. Defaults to browser.
clientAuthenticationFlow string: The desired flow for client authentication. Defaults to clients.
clientSessionIdleTimeout string: The amount of time a session can be idle before it expires. Users can override it for individual clients.
clientSessionMaxLifespan string: The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
defaultDefaultClientScopes string[]
defaultOptionalClientScopes string[]
defaultSignatureAlgorithm string: Default algorithm used to sign tokens for the realm.
directGrantFlow string: The desired flow for direct access authentication. Defaults to direct grant.
displayName string: The display name for the realm that is shown when logging in to the admin console.
displayNameHtml string: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
dockerAuthenticationFlow string: The desired flow for Docker authentication. Defaults to docker auth.
duplicateEmailsAllowed boolean: When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
editUsernameAllowed boolean: When true, the username field is editable.
emailTheme string: Used for emails that are sent by Keycloak.
enabled boolean: When false, users and clients will not be able to access this realm. Defaults to true.
internalId string: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
internationalization RealmInternationalizationArgs
loginTheme string: Used for the login, forgot password, and registration pages.
loginWithEmailAllowed boolean: When true, users may log in with their email address.
oauth2DeviceCodeLifespan string: The maximum amount of time a client has to finish the device code flow before it expires.
oauth2DevicePollingInterval number: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
offlineSessionIdleTimeout string: The amount of time an offline session can be idle before it expires.
offlineSessionMaxLifespan string: The maximum amount of time before an offline session expires regardless of activity.
offlineSessionMaxLifespanEnabled boolean: Enable offline_session_max_lifespan.
otpPolicy RealmOtpPolicyArgs
passwordPolicy string: The password policy for users within the realm.
refreshTokenMaxReuse number: Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
registrationAllowed boolean: When true, user registration will be enabled, and a link for registration will be displayed on the login page.
registrationEmailAsUsername boolean: When true, the user's email will be used as their username during registration.
registrationFlow string: The desired flow for user registration. Defaults to registration.
rememberMe boolean: When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
resetCredentialsFlow string: The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
resetPasswordAllowed boolean: When true, a "forgot password" link will be displayed on the login page.
revokeRefreshToken boolean: If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
securityDefenses RealmSecurityDefensesArgs
smtpServer RealmSmtpServerArgs
sslRequired string: Can be one of following values: 'none, 'external' or 'all'
ssoSessionIdleTimeout string: The amount of time a session can be idle before it expires.
ssoSessionIdleTimeoutRememberMe string: Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.
ssoSessionMaxLifespan string: The maximum amount of time before a session expires regardless of activity.
ssoSessionMaxLifespanRememberMe string: Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.
userManagedAccess boolean: When true, users are allowed to manage their own resources. Defaults to false.
verifyEmail boolean: When true, users are required to verify their email address after registration and after email address changes.
webAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs: Configuration for WebAuthn Passwordless Policy authentication.
webAuthnPolicy RealmWebAuthnPolicyArgs: Configuration for WebAuthn Policy authentication.

realm str: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
access_code_lifespan str: The maximum amount of time a client has to finish the authorization code flow.
access_code_lifespan_login str: The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
access_code_lifespan_user_action str: The maximum amount of time a user has to complete login related actions, such as updating a password.
access_token_lifespan str: The amount of time an access token can be used before it expires.
access_token_lifespan_for_implicit_flow str: The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
account_theme str: Used for account management pages.
action_token_generated_by_admin_lifespan str: The maximum time a user has to use an admin-generated permit before it expires.
action_token_generated_by_user_lifespan str: The maximum time a user has to use a user-generated permit before it expires.
admin_theme str: Used for the admin console.
attributes Mapping[str, Any]: A map of custom attributes to add to the realm.
browser_flow str: The desired flow for browser authentication. Defaults to browser.
client_authentication_flow str: The desired flow for client authentication. Defaults to clients.
client_session_idle_timeout str: The amount of time a session can be idle before it expires. Users can override it for individual clients.
client_session_max_lifespan str: The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
default_default_client_scopes Sequence[str]
default_optional_client_scopes Sequence[str]
default_signature_algorithm str: Default algorithm used to sign tokens for the realm.
direct_grant_flow str: The desired flow for direct access authentication. Defaults to direct grant.
display_name str: The display name for the realm that is shown when logging in to the admin console.
display_name_html str: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
docker_authentication_flow str: The desired flow for Docker authentication. Defaults to docker auth.
duplicate_emails_allowed bool: When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
edit_username_allowed bool: When true, the username field is editable.
email_theme str: Used for emails that are sent by Keycloak.
enabled bool: When false, users and clients will not be able to access this realm. Defaults to true.
internal_id str: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
internationalization RealmInternationalizationArgs
login_theme str: Used for the login, forgot password, and registration pages.
login_with_email_allowed bool: When true, users may log in with their email address.
oauth2_device_code_lifespan str: The maximum amount of time a client has to finish the device code flow before it expires.
oauth2_device_polling_interval int: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
offline_session_idle_timeout str: The amount of time an offline session can be idle before it expires.
offline_session_max_lifespan str: The maximum amount of time before an offline session expires regardless of activity.
offline_session_max_lifespan_enabled bool: Enable offline_session_max_lifespan.
otp_policy RealmOtpPolicyArgs
password_policy str: The password policy for users within the realm.
refresh_token_max_reuse int: Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
registration_allowed bool: When true, user registration will be enabled, and a link for registration will be displayed on the login page.
registration_email_as_username bool: When true, the user's email will be used as their username during registration.
registration_flow str: The desired flow for user registration. Defaults to registration.
remember_me bool: When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
reset_credentials_flow str: The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
reset_password_allowed bool: When true, a "forgot password" link will be displayed on the login page.
revoke_refresh_token bool: If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
security_defenses RealmSecurityDefensesArgs
smtp_server RealmSmtpServerArgs
ssl_required str: Can be one of following values: 'none, 'external' or 'all'
sso_session_idle_timeout str: The amount of time a session can be idle before it expires.
sso_session_idle_timeout_remember_me str: Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.
sso_session_max_lifespan str: The maximum amount of time before a session expires regardless of activity.
sso_session_max_lifespan_remember_me str: Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.
user_managed_access bool: When true, users are allowed to manage their own resources. Defaults to false.
verify_email bool: When true, users are required to verify their email address after registration and after email address changes.
web_authn_passwordless_policy RealmWebAuthnPasswordlessPolicyArgs: Configuration for WebAuthn Passwordless Policy authentication.
web_authn_policy RealmWebAuthnPolicyArgs: Configuration for WebAuthn Policy authentication.

realm String: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
accessCodeLifespan String: The maximum amount of time a client has to finish the authorization code flow.
accessCodeLifespanLogin String: The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
accessCodeLifespanUserAction String: The maximum amount of time a user has to complete login related actions, such as updating a password.
accessTokenLifespan String: The amount of time an access token can be used before it expires.
accessTokenLifespanForImplicitFlow String: The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
accountTheme String: Used for account management pages.
actionTokenGeneratedByAdminLifespan String: The maximum time a user has to use an admin-generated permit before it expires.
actionTokenGeneratedByUserLifespan String: The maximum time a user has to use a user-generated permit before it expires.
adminTheme String: Used for the admin console.
attributes Map<Any>: A map of custom attributes to add to the realm.
browserFlow String: The desired flow for browser authentication. Defaults to browser.
clientAuthenticationFlow String: The desired flow for client authentication. Defaults to clients.
clientSessionIdleTimeout String: The amount of time a session can be idle before it expires. Users can override it for individual clients.
clientSessionMaxLifespan String: The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
defaultDefaultClientScopes List<String>
defaultOptionalClientScopes List<String>
defaultSignatureAlgorithm String: Default algorithm used to sign tokens for the realm.
directGrantFlow String: The desired flow for direct access authentication. Defaults to direct grant.
displayName String: The display name for the realm that is shown when logging in to the admin console.
displayNameHtml String: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
dockerAuthenticationFlow String: The desired flow for Docker authentication. Defaults to docker auth.
duplicateEmailsAllowed Boolean: When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
editUsernameAllowed Boolean: When true, the username field is editable.
emailTheme String: Used for emails that are sent by Keycloak.
enabled Boolean: When false, users and clients will not be able to access this realm. Defaults to true.
internalId String: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
internationalization Property Map
loginTheme String: Used for the login, forgot password, and registration pages.
loginWithEmailAllowed Boolean: When true, users may log in with their email address.
oauth2DeviceCodeLifespan String: The maximum amount of time a client has to finish the device code flow before it expires.
oauth2DevicePollingInterval Number: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
offlineSessionIdleTimeout String: The amount of time an offline session can be idle before it expires.
offlineSessionMaxLifespan String: The maximum amount of time before an offline session expires regardless of activity.
offlineSessionMaxLifespanEnabled Boolean: Enable offline_session_max_lifespan.
otpPolicy Property Map
passwordPolicy String: The password policy for users within the realm.
refreshTokenMaxReuse Number: Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
registrationAllowed Boolean: When true, user registration will be enabled, and a link for registration will be displayed on the login page.
registrationEmailAsUsername Boolean: When true, the user's email will be used as their username during registration.
registrationFlow String: The desired flow for user registration. Defaults to registration.
rememberMe Boolean: When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
resetCredentialsFlow String: The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
resetPasswordAllowed Boolean: When true, a "forgot password" link will be displayed on the login page.
revokeRefreshToken Boolean: If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
securityDefenses Property Map
smtpServer Property Map
sslRequired String: Can be one of following values: 'none, 'external' or 'all'
ssoSessionIdleTimeout String: The amount of time a session can be idle before it expires.
ssoSessionIdleTimeoutRememberMe String: Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.
ssoSessionMaxLifespan String: The maximum amount of time before a session expires regardless of activity.
ssoSessionMaxLifespanRememberMe String: Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.
userManagedAccess Boolean: When true, users are allowed to manage their own resources. Defaults to false.
verifyEmail Boolean: When true, users are required to verify their email address after registration and after email address changes.
webAuthnPasswordlessPolicy Property Map: Configuration for WebAuthn Passwordless Policy authentication.
webAuthnPolicy Property Map: Configuration for WebAuthn Policy authentication.

Outputs

All input properties are implicitly available as output properties. Additionally, the Realm resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing Realm Resource

Get an existing Realm resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: RealmState, opts?: CustomResourceOptions): Realm

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_code_lifespan: Optional[str] = None,
        access_code_lifespan_login: Optional[str] = None,
        access_code_lifespan_user_action: Optional[str] = None,
        access_token_lifespan: Optional[str] = None,
        access_token_lifespan_for_implicit_flow: Optional[str] = None,
        account_theme: Optional[str] = None,
        action_token_generated_by_admin_lifespan: Optional[str] = None,
        action_token_generated_by_user_lifespan: Optional[str] = None,
        admin_theme: Optional[str] = None,
        attributes: Optional[Mapping[str, Any]] = None,
        browser_flow: Optional[str] = None,
        client_authentication_flow: Optional[str] = None,
        client_session_idle_timeout: Optional[str] = None,
        client_session_max_lifespan: Optional[str] = None,
        default_default_client_scopes: Optional[Sequence[str]] = None,
        default_optional_client_scopes: Optional[Sequence[str]] = None,
        default_signature_algorithm: Optional[str] = None,
        direct_grant_flow: Optional[str] = None,
        display_name: Optional[str] = None,
        display_name_html: Optional[str] = None,
        docker_authentication_flow: Optional[str] = None,
        duplicate_emails_allowed: Optional[bool] = None,
        edit_username_allowed: Optional[bool] = None,
        email_theme: Optional[str] = None,
        enabled: Optional[bool] = None,
        internal_id: Optional[str] = None,
        internationalization: Optional[RealmInternationalizationArgs] = None,
        login_theme: Optional[str] = None,
        login_with_email_allowed: Optional[bool] = None,
        oauth2_device_code_lifespan: Optional[str] = None,
        oauth2_device_polling_interval: Optional[int] = None,
        offline_session_idle_timeout: Optional[str] = None,
        offline_session_max_lifespan: Optional[str] = None,
        offline_session_max_lifespan_enabled: Optional[bool] = None,
        otp_policy: Optional[RealmOtpPolicyArgs] = None,
        password_policy: Optional[str] = None,
        realm: Optional[str] = None,
        refresh_token_max_reuse: Optional[int] = None,
        registration_allowed: Optional[bool] = None,
        registration_email_as_username: Optional[bool] = None,
        registration_flow: Optional[str] = None,
        remember_me: Optional[bool] = None,
        reset_credentials_flow: Optional[str] = None,
        reset_password_allowed: Optional[bool] = None,
        revoke_refresh_token: Optional[bool] = None,
        security_defenses: Optional[RealmSecurityDefensesArgs] = None,
        smtp_server: Optional[RealmSmtpServerArgs] = None,
        ssl_required: Optional[str] = None,
        sso_session_idle_timeout: Optional[str] = None,
        sso_session_idle_timeout_remember_me: Optional[str] = None,
        sso_session_max_lifespan: Optional[str] = None,
        sso_session_max_lifespan_remember_me: Optional[str] = None,
        user_managed_access: Optional[bool] = None,
        verify_email: Optional[bool] = None,
        web_authn_passwordless_policy: Optional[RealmWebAuthnPasswordlessPolicyArgs] = None,
        web_authn_policy: Optional[RealmWebAuthnPolicyArgs] = None) -> Realm

func GetRealm(ctx *Context, name string, id IDInput, state *RealmState, opts ...ResourceOption) (*Realm, error)

public static Realm Get(string name, Input<string> id, RealmState? state, CustomResourceOptions? opts = null)

public static Realm get(String name, Output<String> id, RealmState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessCodeLifespan string: The maximum amount of time a client has to finish the authorization code flow.
AccessCodeLifespanLogin string: The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
AccessCodeLifespanUserAction string: The maximum amount of time a user has to complete login related actions, such as updating a password.
AccessTokenLifespan string: The amount of time an access token can be used before it expires.
AccessTokenLifespanForImplicitFlow string: The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
AccountTheme string: Used for account management pages.
ActionTokenGeneratedByAdminLifespan string: The maximum time a user has to use an admin-generated permit before it expires.
ActionTokenGeneratedByUserLifespan string: The maximum time a user has to use a user-generated permit before it expires.
AdminTheme string: Used for the admin console.
Attributes Dictionary<string, object>: A map of custom attributes to add to the realm.
BrowserFlow string: The desired flow for browser authentication. Defaults to browser.
ClientAuthenticationFlow string: The desired flow for client authentication. Defaults to clients.
ClientSessionIdleTimeout string: The amount of time a session can be idle before it expires. Users can override it for individual clients.
ClientSessionMaxLifespan string: The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
DefaultDefaultClientScopes List<string>
DefaultOptionalClientScopes List<string>
DefaultSignatureAlgorithm string: Default algorithm used to sign tokens for the realm.
DirectGrantFlow string: The desired flow for direct access authentication. Defaults to direct grant.
DisplayName string: The display name for the realm that is shown when logging in to the admin console.
DisplayNameHtml string: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
DockerAuthenticationFlow string: The desired flow for Docker authentication. Defaults to docker auth.
DuplicateEmailsAllowed bool: When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
EditUsernameAllowed bool: When true, the username field is editable.
EmailTheme string: Used for emails that are sent by Keycloak.
Enabled bool: When false, users and clients will not be able to access this realm. Defaults to true.
InternalId string: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
Internationalization RealmInternationalizationArgs
LoginTheme string: Used for the login, forgot password, and registration pages.
LoginWithEmailAllowed bool: When true, users may log in with their email address.
Oauth2DeviceCodeLifespan string: The maximum amount of time a client has to finish the device code flow before it expires.
Oauth2DevicePollingInterval int: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
OfflineSessionIdleTimeout string: The amount of time an offline session can be idle before it expires.
OfflineSessionMaxLifespan string: The maximum amount of time before an offline session expires regardless of activity.
OfflineSessionMaxLifespanEnabled bool: Enable offline_session_max_lifespan.
OtpPolicy RealmOtpPolicyArgs
PasswordPolicy string: The password policy for users within the realm.
RealmName string: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
RefreshTokenMaxReuse int: Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
RegistrationAllowed bool: When true, user registration will be enabled, and a link for registration will be displayed on the login page.
RegistrationEmailAsUsername bool: When true, the user's email will be used as their username during registration.
RegistrationFlow string: The desired flow for user registration. Defaults to registration.
RememberMe bool: When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
ResetCredentialsFlow string: The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
ResetPasswordAllowed bool: When true, a "forgot password" link will be displayed on the login page.
RevokeRefreshToken bool: If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
SecurityDefenses RealmSecurityDefensesArgs
SmtpServer RealmSmtpServerArgs
SslRequired string: Can be one of following values: 'none, 'external' or 'all'
SsoSessionIdleTimeout string: The amount of time a session can be idle before it expires.
SsoSessionIdleTimeoutRememberMe string: Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.
SsoSessionMaxLifespan string: The maximum amount of time before a session expires regardless of activity.
SsoSessionMaxLifespanRememberMe string: Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.
UserManagedAccess bool: When true, users are allowed to manage their own resources. Defaults to false.
VerifyEmail bool: When true, users are required to verify their email address after registration and after email address changes.
WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs: Configuration for WebAuthn Passwordless Policy authentication.
WebAuthnPolicy RealmWebAuthnPolicyArgs: Configuration for WebAuthn Policy authentication.

AccessCodeLifespan string: The maximum amount of time a client has to finish the authorization code flow.
AccessCodeLifespanLogin string: The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
AccessCodeLifespanUserAction string: The maximum amount of time a user has to complete login related actions, such as updating a password.
AccessTokenLifespan string: The amount of time an access token can be used before it expires.
AccessTokenLifespanForImplicitFlow string: The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
AccountTheme string: Used for account management pages.
ActionTokenGeneratedByAdminLifespan string: The maximum time a user has to use an admin-generated permit before it expires.
ActionTokenGeneratedByUserLifespan string: The maximum time a user has to use a user-generated permit before it expires.
AdminTheme string: Used for the admin console.
Attributes map[string]interface{}: A map of custom attributes to add to the realm.
BrowserFlow string: The desired flow for browser authentication. Defaults to browser.
ClientAuthenticationFlow string: The desired flow for client authentication. Defaults to clients.
ClientSessionIdleTimeout string: The amount of time a session can be idle before it expires. Users can override it for individual clients.
ClientSessionMaxLifespan string: The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
DefaultDefaultClientScopes []string
DefaultOptionalClientScopes []string
DefaultSignatureAlgorithm string: Default algorithm used to sign tokens for the realm.
DirectGrantFlow string: The desired flow for direct access authentication. Defaults to direct grant.
DisplayName string: The display name for the realm that is shown when logging in to the admin console.
DisplayNameHtml string: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
DockerAuthenticationFlow string: The desired flow for Docker authentication. Defaults to docker auth.
DuplicateEmailsAllowed bool: When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
EditUsernameAllowed bool: When true, the username field is editable.
EmailTheme string: Used for emails that are sent by Keycloak.
Enabled bool: When false, users and clients will not be able to access this realm. Defaults to true.
InternalId string: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
Internationalization RealmInternationalizationArgs
LoginTheme string: Used for the login, forgot password, and registration pages.
LoginWithEmailAllowed bool: When true, users may log in with their email address.
Oauth2DeviceCodeLifespan string: The maximum amount of time a client has to finish the device code flow before it expires.
Oauth2DevicePollingInterval int: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
OfflineSessionIdleTimeout string: The amount of time an offline session can be idle before it expires.
OfflineSessionMaxLifespan string: The maximum amount of time before an offline session expires regardless of activity.
OfflineSessionMaxLifespanEnabled bool: Enable offline_session_max_lifespan.
OtpPolicy RealmOtpPolicyArgs
PasswordPolicy string: The password policy for users within the realm.
Realm string: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
RefreshTokenMaxReuse int: Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
RegistrationAllowed bool: When true, user registration will be enabled, and a link for registration will be displayed on the login page.
RegistrationEmailAsUsername bool: When true, the user's email will be used as their username during registration.
RegistrationFlow string: The desired flow for user registration. Defaults to registration.
RememberMe bool: When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
ResetCredentialsFlow string: The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
ResetPasswordAllowed bool: When true, a "forgot password" link will be displayed on the login page.
RevokeRefreshToken bool: If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
SecurityDefenses RealmSecurityDefensesArgs
SmtpServer RealmSmtpServerArgs
SslRequired string: Can be one of following values: 'none, 'external' or 'all'
SsoSessionIdleTimeout string: The amount of time a session can be idle before it expires.
SsoSessionIdleTimeoutRememberMe string: Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.
SsoSessionMaxLifespan string: The maximum amount of time before a session expires regardless of activity.
SsoSessionMaxLifespanRememberMe string: Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.
UserManagedAccess bool: When true, users are allowed to manage their own resources. Defaults to false.
VerifyEmail bool: When true, users are required to verify their email address after registration and after email address changes.
WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs: Configuration for WebAuthn Passwordless Policy authentication.
WebAuthnPolicy RealmWebAuthnPolicyArgs: Configuration for WebAuthn Policy authentication.

accessCodeLifespan String: The maximum amount of time a client has to finish the authorization code flow.
accessCodeLifespanLogin String: The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
accessCodeLifespanUserAction String: The maximum amount of time a user has to complete login related actions, such as updating a password.
accessTokenLifespan String: The amount of time an access token can be used before it expires.
accessTokenLifespanForImplicitFlow String: The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
accountTheme String: Used for account management pages.
actionTokenGeneratedByAdminLifespan String: The maximum time a user has to use an admin-generated permit before it expires.
actionTokenGeneratedByUserLifespan String: The maximum time a user has to use a user-generated permit before it expires.
adminTheme String: Used for the admin console.
attributes Map<String,Object>: A map of custom attributes to add to the realm.
browserFlow String: The desired flow for browser authentication. Defaults to browser.
clientAuthenticationFlow String: The desired flow for client authentication. Defaults to clients.
clientSessionIdleTimeout String: The amount of time a session can be idle before it expires. Users can override it for individual clients.
clientSessionMaxLifespan String: The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
defaultDefaultClientScopes List<String>
defaultOptionalClientScopes List<String>
defaultSignatureAlgorithm String: Default algorithm used to sign tokens for the realm.
directGrantFlow String: The desired flow for direct access authentication. Defaults to direct grant.
displayName String: The display name for the realm that is shown when logging in to the admin console.
displayNameHtml String: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
dockerAuthenticationFlow String: The desired flow for Docker authentication. Defaults to docker auth.
duplicateEmailsAllowed Boolean: When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
editUsernameAllowed Boolean: When true, the username field is editable.
emailTheme String: Used for emails that are sent by Keycloak.
enabled Boolean: When false, users and clients will not be able to access this realm. Defaults to true.
internalId String: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
internationalization RealmInternationalizationArgs
loginTheme String: Used for the login, forgot password, and registration pages.
loginWithEmailAllowed Boolean: When true, users may log in with their email address.
oauth2DeviceCodeLifespan String: The maximum amount of time a client has to finish the device code flow before it expires.
oauth2DevicePollingInterval Integer: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
offlineSessionIdleTimeout String: The amount of time an offline session can be idle before it expires.
offlineSessionMaxLifespan String: The maximum amount of time before an offline session expires regardless of activity.
offlineSessionMaxLifespanEnabled Boolean: Enable offline_session_max_lifespan.
otpPolicy RealmOtpPolicyArgs
passwordPolicy String: The password policy for users within the realm.
realm String: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
refreshTokenMaxReuse Integer: Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
registrationAllowed Boolean: When true, user registration will be enabled, and a link for registration will be displayed on the login page.
registrationEmailAsUsername Boolean: When true, the user's email will be used as their username during registration.
registrationFlow String: The desired flow for user registration. Defaults to registration.
rememberMe Boolean: When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
resetCredentialsFlow String: The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
resetPasswordAllowed Boolean: When true, a "forgot password" link will be displayed on the login page.
revokeRefreshToken Boolean: If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
securityDefenses RealmSecurityDefensesArgs
smtpServer RealmSmtpServerArgs
sslRequired String: Can be one of following values: 'none, 'external' or 'all'
ssoSessionIdleTimeout String: The amount of time a session can be idle before it expires.
ssoSessionIdleTimeoutRememberMe String: Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.
ssoSessionMaxLifespan String: The maximum amount of time before a session expires regardless of activity.
ssoSessionMaxLifespanRememberMe String: Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.
userManagedAccess Boolean: When true, users are allowed to manage their own resources. Defaults to false.
verifyEmail Boolean: When true, users are required to verify their email address after registration and after email address changes.
webAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs: Configuration for WebAuthn Passwordless Policy authentication.
webAuthnPolicy RealmWebAuthnPolicyArgs: Configuration for WebAuthn Policy authentication.

accessCodeLifespan string: The maximum amount of time a client has to finish the authorization code flow.
accessCodeLifespanLogin string: The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
accessCodeLifespanUserAction string: The maximum amount of time a user has to complete login related actions, such as updating a password.
accessTokenLifespan string: The amount of time an access token can be used before it expires.
accessTokenLifespanForImplicitFlow string: The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
accountTheme string: Used for account management pages.
actionTokenGeneratedByAdminLifespan string: The maximum time a user has to use an admin-generated permit before it expires.
actionTokenGeneratedByUserLifespan string: The maximum time a user has to use a user-generated permit before it expires.
adminTheme string: Used for the admin console.
attributes {[key: string]: any}: A map of custom attributes to add to the realm.
browserFlow string: The desired flow for browser authentication. Defaults to browser.
clientAuthenticationFlow string: The desired flow for client authentication. Defaults to clients.
clientSessionIdleTimeout string: The amount of time a session can be idle before it expires. Users can override it for individual clients.
clientSessionMaxLifespan string: The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
defaultDefaultClientScopes string[]
defaultOptionalClientScopes string[]
defaultSignatureAlgorithm string: Default algorithm used to sign tokens for the realm.
directGrantFlow string: The desired flow for direct access authentication. Defaults to direct grant.
displayName string: The display name for the realm that is shown when logging in to the admin console.
displayNameHtml string: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
dockerAuthenticationFlow string: The desired flow for Docker authentication. Defaults to docker auth.
duplicateEmailsAllowed boolean: When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
editUsernameAllowed boolean: When true, the username field is editable.
emailTheme string: Used for emails that are sent by Keycloak.
enabled boolean: When false, users and clients will not be able to access this realm. Defaults to true.
internalId string: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
internationalization RealmInternationalizationArgs
loginTheme string: Used for the login, forgot password, and registration pages.
loginWithEmailAllowed boolean: When true, users may log in with their email address.
oauth2DeviceCodeLifespan string: The maximum amount of time a client has to finish the device code flow before it expires.
oauth2DevicePollingInterval number: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
offlineSessionIdleTimeout string: The amount of time an offline session can be idle before it expires.
offlineSessionMaxLifespan string: The maximum amount of time before an offline session expires regardless of activity.
offlineSessionMaxLifespanEnabled boolean: Enable offline_session_max_lifespan.
otpPolicy RealmOtpPolicyArgs
passwordPolicy string: The password policy for users within the realm.
realm string: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
refreshTokenMaxReuse number: Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
registrationAllowed boolean: When true, user registration will be enabled, and a link for registration will be displayed on the login page.
registrationEmailAsUsername boolean: When true, the user's email will be used as their username during registration.
registrationFlow string: The desired flow for user registration. Defaults to registration.
rememberMe boolean: When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
resetCredentialsFlow string: The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
resetPasswordAllowed boolean: When true, a "forgot password" link will be displayed on the login page.
revokeRefreshToken boolean: If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
securityDefenses RealmSecurityDefensesArgs
smtpServer RealmSmtpServerArgs
sslRequired string: Can be one of following values: 'none, 'external' or 'all'
ssoSessionIdleTimeout string: The amount of time a session can be idle before it expires.
ssoSessionIdleTimeoutRememberMe string: Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.
ssoSessionMaxLifespan string: The maximum amount of time before a session expires regardless of activity.
ssoSessionMaxLifespanRememberMe string: Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.
userManagedAccess boolean: When true, users are allowed to manage their own resources. Defaults to false.
verifyEmail boolean: When true, users are required to verify their email address after registration and after email address changes.
webAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs: Configuration for WebAuthn Passwordless Policy authentication.
webAuthnPolicy RealmWebAuthnPolicyArgs: Configuration for WebAuthn Policy authentication.

access_code_lifespan str: The maximum amount of time a client has to finish the authorization code flow.
access_code_lifespan_login str: The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
access_code_lifespan_user_action str: The maximum amount of time a user has to complete login related actions, such as updating a password.
access_token_lifespan str: The amount of time an access token can be used before it expires.
access_token_lifespan_for_implicit_flow str: The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
account_theme str: Used for account management pages.
action_token_generated_by_admin_lifespan str: The maximum time a user has to use an admin-generated permit before it expires.
action_token_generated_by_user_lifespan str: The maximum time a user has to use a user-generated permit before it expires.
admin_theme str: Used for the admin console.
attributes Mapping[str, Any]: A map of custom attributes to add to the realm.
browser_flow str: The desired flow for browser authentication. Defaults to browser.
client_authentication_flow str: The desired flow for client authentication. Defaults to clients.
client_session_idle_timeout str: The amount of time a session can be idle before it expires. Users can override it for individual clients.
client_session_max_lifespan str: The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
default_default_client_scopes Sequence[str]
default_optional_client_scopes Sequence[str]
default_signature_algorithm str: Default algorithm used to sign tokens for the realm.
direct_grant_flow str: The desired flow for direct access authentication. Defaults to direct grant.
display_name str: The display name for the realm that is shown when logging in to the admin console.
display_name_html str: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
docker_authentication_flow str: The desired flow for Docker authentication. Defaults to docker auth.
duplicate_emails_allowed bool: When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
edit_username_allowed bool: When true, the username field is editable.
email_theme str: Used for emails that are sent by Keycloak.
enabled bool: When false, users and clients will not be able to access this realm. Defaults to true.
internal_id str: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
internationalization RealmInternationalizationArgs
login_theme str: Used for the login, forgot password, and registration pages.
login_with_email_allowed bool: When true, users may log in with their email address.
oauth2_device_code_lifespan str: The maximum amount of time a client has to finish the device code flow before it expires.
oauth2_device_polling_interval int: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
offline_session_idle_timeout str: The amount of time an offline session can be idle before it expires.
offline_session_max_lifespan str: The maximum amount of time before an offline session expires regardless of activity.
offline_session_max_lifespan_enabled bool: Enable offline_session_max_lifespan.
otp_policy RealmOtpPolicyArgs
password_policy str: The password policy for users within the realm.
realm str: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
refresh_token_max_reuse int: Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
registration_allowed bool: When true, user registration will be enabled, and a link for registration will be displayed on the login page.
registration_email_as_username bool: When true, the user's email will be used as their username during registration.
registration_flow str: The desired flow for user registration. Defaults to registration.
remember_me bool: When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
reset_credentials_flow str: The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
reset_password_allowed bool: When true, a "forgot password" link will be displayed on the login page.
revoke_refresh_token bool: If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
security_defenses RealmSecurityDefensesArgs
smtp_server RealmSmtpServerArgs
ssl_required str: Can be one of following values: 'none, 'external' or 'all'
sso_session_idle_timeout str: The amount of time a session can be idle before it expires.
sso_session_idle_timeout_remember_me str: Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.
sso_session_max_lifespan str: The maximum amount of time before a session expires regardless of activity.
sso_session_max_lifespan_remember_me str: Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.
user_managed_access bool: When true, users are allowed to manage their own resources. Defaults to false.
verify_email bool: When true, users are required to verify their email address after registration and after email address changes.
web_authn_passwordless_policy RealmWebAuthnPasswordlessPolicyArgs: Configuration for WebAuthn Passwordless Policy authentication.
web_authn_policy RealmWebAuthnPolicyArgs: Configuration for WebAuthn Policy authentication.

accessCodeLifespan String: The maximum amount of time a client has to finish the authorization code flow.
accessCodeLifespanLogin String: The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.
accessCodeLifespanUserAction String: The maximum amount of time a user has to complete login related actions, such as updating a password.
accessTokenLifespan String: The amount of time an access token can be used before it expires.
accessTokenLifespanForImplicitFlow String: The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.
accountTheme String: Used for account management pages.
actionTokenGeneratedByAdminLifespan String: The maximum time a user has to use an admin-generated permit before it expires.
actionTokenGeneratedByUserLifespan String: The maximum time a user has to use a user-generated permit before it expires.
adminTheme String: Used for the admin console.
attributes Map<Any>: A map of custom attributes to add to the realm.
browserFlow String: The desired flow for browser authentication. Defaults to browser.
clientAuthenticationFlow String: The desired flow for client authentication. Defaults to clients.
clientSessionIdleTimeout String: The amount of time a session can be idle before it expires. Users can override it for individual clients.
clientSessionMaxLifespan String: The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.
defaultDefaultClientScopes List<String>
defaultOptionalClientScopes List<String>
defaultSignatureAlgorithm String: Default algorithm used to sign tokens for the realm.
directGrantFlow String: The desired flow for direct access authentication. Defaults to direct grant.
displayName String: The display name for the realm that is shown when logging in to the admin console.
displayNameHtml String: The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.
dockerAuthenticationFlow String: The desired flow for Docker authentication. Defaults to docker auth.
duplicateEmailsAllowed Boolean: When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.
editUsernameAllowed Boolean: When true, the username field is editable.
emailTheme String: Used for emails that are sent by Keycloak.
enabled Boolean: When false, users and clients will not be able to access this realm. Defaults to true.
internalId String: When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.
internationalization Property Map
loginTheme String: Used for the login, forgot password, and registration pages.
loginWithEmailAllowed Boolean: When true, users may log in with their email address.
oauth2DeviceCodeLifespan String: The maximum amount of time a client has to finish the device code flow before it expires.
oauth2DevicePollingInterval Number: The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.
offlineSessionIdleTimeout String: The amount of time an offline session can be idle before it expires.
offlineSessionMaxLifespan String: The maximum amount of time before an offline session expires regardless of activity.
offlineSessionMaxLifespanEnabled Boolean: Enable offline_session_max_lifespan.
otpPolicy Property Map
passwordPolicy String: The password policy for users within the realm.
realm String: The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.
refreshTokenMaxReuse Number: Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.
registrationAllowed Boolean: When true, user registration will be enabled, and a link for registration will be displayed on the login page.
registrationEmailAsUsername Boolean: When true, the user's email will be used as their username during registration.
registrationFlow String: The desired flow for user registration. Defaults to registration.
rememberMe Boolean: When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.
resetCredentialsFlow String: The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.
resetPasswordAllowed Boolean: When true, a "forgot password" link will be displayed on the login page.
revokeRefreshToken Boolean: If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.
securityDefenses Property Map
smtpServer Property Map
sslRequired String: Can be one of following values: 'none, 'external' or 'all'
ssoSessionIdleTimeout String: The amount of time a session can be idle before it expires.
ssoSessionIdleTimeoutRememberMe String: Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.
ssoSessionMaxLifespan String: The maximum amount of time before a session expires regardless of activity.
ssoSessionMaxLifespanRememberMe String: Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.
userManagedAccess Boolean: When true, users are allowed to manage their own resources. Defaults to false.
verifyEmail Boolean: When true, users are required to verify their email address after registration and after email address changes.
webAuthnPasswordlessPolicy Property Map: Configuration for WebAuthn Passwordless Policy authentication.
webAuthnPolicy Property Map: Configuration for WebAuthn Policy authentication.

Supporting Types

RealmInternationalization

DefaultLocale string: The locale to use by default. This locale code must be present within the supported_locales list.
SupportedLocales List<string>: A list of ISO 639-1 locale codes that the realm should support.

DefaultLocale string: The locale to use by default. This locale code must be present within the supported_locales list.
SupportedLocales []string: A list of ISO 639-1 locale codes that the realm should support.

defaultLocale String: The locale to use by default. This locale code must be present within the supported_locales list.
supportedLocales List<String>: A list of ISO 639-1 locale codes that the realm should support.

defaultLocale string: The locale to use by default. This locale code must be present within the supported_locales list.
supportedLocales string[]: A list of ISO 639-1 locale codes that the realm should support.

default_locale str: The locale to use by default. This locale code must be present within the supported_locales list.
supported_locales Sequence[str]: A list of ISO 639-1 locale codes that the realm should support.

defaultLocale String: The locale to use by default. This locale code must be present within the supported_locales list.
supportedLocales List<String>: A list of ISO 639-1 locale codes that the realm should support.

RealmOtpPolicy

Algorithm string: What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.
Digits int: How many digits the OTP have. Defaults to 6.
InitialCounter int: What should the initial counter value be. Defaults to 2.
LookAheadWindow int: How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.
Period int: How many seconds should an OTP token be valid. Defaults to 30.
Type string: One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.

Algorithm string: What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.
Digits int: How many digits the OTP have. Defaults to 6.
InitialCounter int: What should the initial counter value be. Defaults to 2.
LookAheadWindow int: How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.
Period int: How many seconds should an OTP token be valid. Defaults to 30.
Type string: One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.

algorithm String: What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.
digits Integer: How many digits the OTP have. Defaults to 6.
initialCounter Integer: What should the initial counter value be. Defaults to 2.
lookAheadWindow Integer: How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.
period Integer: How many seconds should an OTP token be valid. Defaults to 30.
type String: One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.

algorithm string: What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.
digits number: How many digits the OTP have. Defaults to 6.
initialCounter number: What should the initial counter value be. Defaults to 2.
lookAheadWindow number: How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.
period number: How many seconds should an OTP token be valid. Defaults to 30.
type string: One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.

algorithm str: What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.
digits int: How many digits the OTP have. Defaults to 6.
initial_counter int: What should the initial counter value be. Defaults to 2.
look_ahead_window int: How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.
period int: How many seconds should an OTP token be valid. Defaults to 30.
type str: One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.

algorithm String: What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.
digits Number: How many digits the OTP have. Defaults to 6.
initialCounter Number: What should the initial counter value be. Defaults to 2.
lookAheadWindow Number: How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.
period Number: How many seconds should an OTP token be valid. Defaults to 30.
type String: One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.

RealmSecurityDefenses

BruteForceDetection RealmSecurityDefensesBruteForceDetection
Headers RealmSecurityDefensesHeaders

BruteForceDetection RealmSecurityDefensesBruteForceDetection
Headers RealmSecurityDefensesHeaders

bruteForceDetection RealmSecurityDefensesBruteForceDetection
headers RealmSecurityDefensesHeaders

bruteForceDetection RealmSecurityDefensesBruteForceDetection
headers RealmSecurityDefensesHeaders

brute_force_detection RealmSecurityDefensesBruteForceDetection
headers RealmSecurityDefensesHeaders

bruteForceDetection Property Map
headers Property Map

RealmSecurityDefensesBruteForceDetection

FailureResetTimeSeconds int

When will failure count be reset?

MaxFailureWaitSeconds int

MaxLoginFailures int

How many failures before wait is triggered.

MinimumQuickLoginWaitSeconds int

How long to wait after a quick login failure.

max_failure_wait_seconds - (Optional) Max. time a user will be locked out.

PermanentLockout bool

When true, this will lock the user permanently when the user exceeds the maximum login failures.

QuickLoginCheckMilliSeconds int

Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

WaitIncrementSeconds int

This represents the amount of time a user should be locked out when the login failure threshold has been met.

FailureResetTimeSeconds int

When will failure count be reset?

MaxFailureWaitSeconds int

MaxLoginFailures int

How many failures before wait is triggered.

MinimumQuickLoginWaitSeconds int

How long to wait after a quick login failure.

max_failure_wait_seconds - (Optional) Max. time a user will be locked out.

PermanentLockout bool

When true, this will lock the user permanently when the user exceeds the maximum login failures.

QuickLoginCheckMilliSeconds int

Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

WaitIncrementSeconds int

This represents the amount of time a user should be locked out when the login failure threshold has been met.

failureResetTimeSeconds Integer

When will failure count be reset?

maxFailureWaitSeconds Integer

maxLoginFailures Integer

How many failures before wait is triggered.

minimumQuickLoginWaitSeconds Integer

How long to wait after a quick login failure.

max_failure_wait_seconds - (Optional) Max. time a user will be locked out.

permanentLockout Boolean

When true, this will lock the user permanently when the user exceeds the maximum login failures.

quickLoginCheckMilliSeconds Integer

Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

waitIncrementSeconds Integer

This represents the amount of time a user should be locked out when the login failure threshold has been met.

failureResetTimeSeconds number

When will failure count be reset?

maxFailureWaitSeconds number

maxLoginFailures number

How many failures before wait is triggered.

minimumQuickLoginWaitSeconds number

How long to wait after a quick login failure.

max_failure_wait_seconds - (Optional) Max. time a user will be locked out.

permanentLockout boolean

When true, this will lock the user permanently when the user exceeds the maximum login failures.

quickLoginCheckMilliSeconds number

Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

waitIncrementSeconds number

This represents the amount of time a user should be locked out when the login failure threshold has been met.

failure_reset_time_seconds int

When will failure count be reset?

max_failure_wait_seconds int

max_login_failures int

How many failures before wait is triggered.

minimum_quick_login_wait_seconds int

How long to wait after a quick login failure.

max_failure_wait_seconds - (Optional) Max. time a user will be locked out.

permanent_lockout bool

When true, this will lock the user permanently when the user exceeds the maximum login failures.

quick_login_check_milli_seconds int

Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

wait_increment_seconds int

This represents the amount of time a user should be locked out when the login failure threshold has been met.

failureResetTimeSeconds Number

When will failure count be reset?

maxFailureWaitSeconds Number

maxLoginFailures Number

How many failures before wait is triggered.

minimumQuickLoginWaitSeconds Number

How long to wait after a quick login failure.

max_failure_wait_seconds - (Optional) Max. time a user will be locked out.

permanentLockout Boolean

When true, this will lock the user permanently when the user exceeds the maximum login failures.

quickLoginCheckMilliSeconds Number

Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

waitIncrementSeconds Number

This represents the amount of time a user should be locked out when the login failure threshold has been met.

RealmSecurityDefensesHeaders

ContentSecurityPolicy string: Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
ContentSecurityPolicyReportOnly string: Used for testing Content Security Policies.
StrictTransportSecurity string: The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
XContentTypeOptions string: Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
XFrameOptions string: Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
XRobotsTag string: Prevent pages from appearing in search engines.
XXssProtection string: This header configures the Cross-site scripting (XSS) filter in your browser.

ContentSecurityPolicy string: Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
ContentSecurityPolicyReportOnly string: Used for testing Content Security Policies.
StrictTransportSecurity string: The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
XContentTypeOptions string: Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
XFrameOptions string: Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
XRobotsTag string: Prevent pages from appearing in search engines.
XXssProtection string: This header configures the Cross-site scripting (XSS) filter in your browser.

contentSecurityPolicy String: Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
contentSecurityPolicyReportOnly String: Used for testing Content Security Policies.
strictTransportSecurity String: The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
xContentTypeOptions String: Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
xFrameOptions String: Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
xRobotsTag String: Prevent pages from appearing in search engines.
xXssProtection String: This header configures the Cross-site scripting (XSS) filter in your browser.

contentSecurityPolicy string: Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
contentSecurityPolicyReportOnly string: Used for testing Content Security Policies.
strictTransportSecurity string: The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
xContentTypeOptions string: Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
xFrameOptions string: Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
xRobotsTag string: Prevent pages from appearing in search engines.
xXssProtection string: This header configures the Cross-site scripting (XSS) filter in your browser.

content_security_policy str: Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
content_security_policy_report_only str: Used for testing Content Security Policies.
strict_transport_security str: The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
x_content_type_options str: Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
x_frame_options str: Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
x_robots_tag str: Prevent pages from appearing in search engines.
x_xss_protection str: This header configures the Cross-site scripting (XSS) filter in your browser.

contentSecurityPolicy String: Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.
contentSecurityPolicyReportOnly String: Used for testing Content Security Policies.
strictTransportSecurity String: The Script-Transport-Security HTTP header tells browsers to always use HTTPS.
xContentTypeOptions String: Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type
xFrameOptions String: Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034
xRobotsTag String: Prevent pages from appearing in search engines.
xXssProtection String: This header configures the Cross-site scripting (XSS) filter in your browser.

RealmSmtpServer

From string: The email address for the sender.
Host string: The host of the SMTP server.
Auth RealmSmtpServerAuth: Enables authentication to the SMTP server. This block supports the following arguments:
EnvelopeFrom string: The email address uses for bounces.
FromDisplayName string: The display name of the sender email address.
Port string: The port of the SMTP server (defaults to 25).
ReplyTo string: The "reply to" email address.
ReplyToDisplayName string: The display name of the "reply to" email address.
Ssl bool: When true, enables SSL. Defaults to false.
Starttls bool: When true, enables StartTLS. Defaults to false.

From string: The email address for the sender.
Host string: The host of the SMTP server.
Auth RealmSmtpServerAuth: Enables authentication to the SMTP server. This block supports the following arguments:
EnvelopeFrom string: The email address uses for bounces.
FromDisplayName string: The display name of the sender email address.
Port string: The port of the SMTP server (defaults to 25).
ReplyTo string: The "reply to" email address.
ReplyToDisplayName string: The display name of the "reply to" email address.
Ssl bool: When true, enables SSL. Defaults to false.
Starttls bool: When true, enables StartTLS. Defaults to false.

from String: The email address for the sender.
host String: The host of the SMTP server.
auth RealmSmtpServerAuth: Enables authentication to the SMTP server. This block supports the following arguments:
envelopeFrom String: The email address uses for bounces.
fromDisplayName String: The display name of the sender email address.
port String: The port of the SMTP server (defaults to 25).
replyTo String: The "reply to" email address.
replyToDisplayName String: The display name of the "reply to" email address.
ssl Boolean: When true, enables SSL. Defaults to false.
starttls Boolean: When true, enables StartTLS. Defaults to false.

from string: The email address for the sender.
host string: The host of the SMTP server.
auth RealmSmtpServerAuth: Enables authentication to the SMTP server. This block supports the following arguments:
envelopeFrom string: The email address uses for bounces.
fromDisplayName string: The display name of the sender email address.
port string: The port of the SMTP server (defaults to 25).
replyTo string: The "reply to" email address.
replyToDisplayName string: The display name of the "reply to" email address.
ssl boolean: When true, enables SSL. Defaults to false.
starttls boolean: When true, enables StartTLS. Defaults to false.

from_ str: The email address for the sender.
host str: The host of the SMTP server.
auth RealmSmtpServerAuth: Enables authentication to the SMTP server. This block supports the following arguments:
envelope_from str: The email address uses for bounces.
from_display_name str: The display name of the sender email address.
port str: The port of the SMTP server (defaults to 25).
reply_to str: The "reply to" email address.
reply_to_display_name str: The display name of the "reply to" email address.
ssl bool: When true, enables SSL. Defaults to false.
starttls bool: When true, enables StartTLS. Defaults to false.

from String: The email address for the sender.
host String: The host of the SMTP server.
auth Property Map: Enables authentication to the SMTP server. This block supports the following arguments:
envelopeFrom String: The email address uses for bounces.
fromDisplayName String: The display name of the sender email address.
port String: The port of the SMTP server (defaults to 25).
replyTo String: The "reply to" email address.
replyToDisplayName String: The display name of the "reply to" email address.
ssl Boolean: When true, enables SSL. Defaults to false.
starttls Boolean: When true, enables StartTLS. Defaults to false.

RealmSmtpServerAuth

Password string: The SMTP server password.
Username string: The SMTP server username.

Password string: The SMTP server password.
Username string: The SMTP server username.

password String: The SMTP server password.
username String: The SMTP server username.

password string: The SMTP server password.
username string: The SMTP server username.

password str: The SMTP server password.
username str: The SMTP server username.

password String: The SMTP server password.
username String: The SMTP server username.

RealmWebAuthnPasswordlessPolicy

AcceptableAaguids List<string>: A set of AAGUIDs for which an authenticator can be registered.
AttestationConveyancePreference string: The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
AuthenticatorAttachment string: The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
AvoidSameAuthenticatorRegister bool: When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
CreateTimeout int: The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
RelyingPartyEntityName string: A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
RelyingPartyId string: The WebAuthn relying party ID.
RequireResidentKey string: Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
SignatureAlgorithms List<string>: A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
UserVerificationRequirement string: Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

AcceptableAaguids []string: A set of AAGUIDs for which an authenticator can be registered.
AttestationConveyancePreference string: The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
AuthenticatorAttachment string: The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
AvoidSameAuthenticatorRegister bool: When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
CreateTimeout int: The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
RelyingPartyEntityName string: A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
RelyingPartyId string: The WebAuthn relying party ID.
RequireResidentKey string: Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
SignatureAlgorithms []string: A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
UserVerificationRequirement string: Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

acceptableAaguids List<String>: A set of AAGUIDs for which an authenticator can be registered.
attestationConveyancePreference String: The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
authenticatorAttachment String: The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
avoidSameAuthenticatorRegister Boolean: When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
createTimeout Integer: The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
relyingPartyEntityName String: A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
relyingPartyId String: The WebAuthn relying party ID.
requireResidentKey String: Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
signatureAlgorithms List<String>: A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
userVerificationRequirement String: Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

acceptableAaguids string[]: A set of AAGUIDs for which an authenticator can be registered.
attestationConveyancePreference string: The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
authenticatorAttachment string: The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
avoidSameAuthenticatorRegister boolean: When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
createTimeout number: The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
relyingPartyEntityName string: A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
relyingPartyId string: The WebAuthn relying party ID.
requireResidentKey string: Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
signatureAlgorithms string[]: A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
userVerificationRequirement string: Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

acceptable_aaguids Sequence[str]: A set of AAGUIDs for which an authenticator can be registered.
attestation_conveyance_preference str: The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
authenticator_attachment str: The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
avoid_same_authenticator_register bool: When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
create_timeout int: The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
relying_party_entity_name str: A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
relying_party_id str: The WebAuthn relying party ID.
require_resident_key str: Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
signature_algorithms Sequence[str]: A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
user_verification_requirement str: Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

acceptableAaguids List<String>: A set of AAGUIDs for which an authenticator can be registered.
attestationConveyancePreference String: The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
authenticatorAttachment String: The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
avoidSameAuthenticatorRegister Boolean: When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
createTimeout Number: The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
relyingPartyEntityName String: A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
relyingPartyId String: The WebAuthn relying party ID.
requireResidentKey String: Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
signatureAlgorithms List<String>: A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
userVerificationRequirement String: Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

RealmWebAuthnPolicy

AcceptableAaguids List<string>: A set of AAGUIDs for which an authenticator can be registered.
AttestationConveyancePreference string: The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
AuthenticatorAttachment string: The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
AvoidSameAuthenticatorRegister bool: When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
CreateTimeout int: The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
RelyingPartyEntityName string: A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
RelyingPartyId string: The WebAuthn relying party ID.
RequireResidentKey string: Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
SignatureAlgorithms List<string>: A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
UserVerificationRequirement string: Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

AcceptableAaguids []string: A set of AAGUIDs for which an authenticator can be registered.
AttestationConveyancePreference string: The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
AuthenticatorAttachment string: The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
AvoidSameAuthenticatorRegister bool: When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
CreateTimeout int: The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
RelyingPartyEntityName string: A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
RelyingPartyId string: The WebAuthn relying party ID.
RequireResidentKey string: Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
SignatureAlgorithms []string: A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
UserVerificationRequirement string: Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

acceptableAaguids List<String>: A set of AAGUIDs for which an authenticator can be registered.
attestationConveyancePreference String: The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
authenticatorAttachment String: The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
avoidSameAuthenticatorRegister Boolean: When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
createTimeout Integer: The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
relyingPartyEntityName String: A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
relyingPartyId String: The WebAuthn relying party ID.
requireResidentKey String: Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
signatureAlgorithms List<String>: A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
userVerificationRequirement String: Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

acceptableAaguids string[]: A set of AAGUIDs for which an authenticator can be registered.
attestationConveyancePreference string: The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
authenticatorAttachment string: The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
avoidSameAuthenticatorRegister boolean: When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
createTimeout number: The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
relyingPartyEntityName string: A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
relyingPartyId string: The WebAuthn relying party ID.
requireResidentKey string: Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
signatureAlgorithms string[]: A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
userVerificationRequirement string: Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

acceptable_aaguids Sequence[str]: A set of AAGUIDs for which an authenticator can be registered.
attestation_conveyance_preference str: The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
authenticator_attachment str: The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
avoid_same_authenticator_register bool: When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
create_timeout int: The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
relying_party_entity_name str: A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
relying_party_id str: The WebAuthn relying party ID.
require_resident_key str: Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
signature_algorithms Sequence[str]: A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
user_verification_requirement str: Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

acceptableAaguids List<String>: A set of AAGUIDs for which an authenticator can be registered.
attestationConveyancePreference String: The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.
authenticatorAttachment String: The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.
avoidSameAuthenticatorRegister Boolean: When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.
createTimeout Number: The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.
relyingPartyEntityName String: A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.
relyingPartyId String: The WebAuthn relying party ID.
requireResidentKey String: Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.
signatureAlgorithms List<String>: A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.
userVerificationRequirement String: Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

Import

Realms can be imported using their name. Examplebash

 $ pulumi import keycloak:index/realm:Realm realm my-realm

Package Details

Repository: Keycloak pulumi/pulumi-keycloak
License: Apache-2.0
Notes: This Pulumi package is based on the keycloak Terraform Provider.

keycloak.Realm

Default Client Scopes

Example Usage

Create Realm Resource

Realm Resource Properties

Inputs

Outputs

Look up Existing Realm Resource

Supporting Types

RealmInternationalization

RealmOtpPolicy

RealmSecurityDefenses

RealmSecurityDefensesBruteForceDetection

RealmSecurityDefensesHeaders

RealmSmtpServer

RealmSmtpServerAuth

RealmWebAuthnPasswordlessPolicy

RealmWebAuthnPolicy

Import

Package Details

Contents